[Snort-users] tcpdump filtered for multiple hosts

Richard Bejtlich taosecurity at ...11827...
Sat Oct 22 04:04:12 EDT 2005


Court Graham wrote:

> Does anyone know the syntax to screen for multiple hosts using tcpdump
>  tcpdump - w filename host ip(this is where i need more than one host)
>  ???

Remember that using 'and' for a BPF primitive means the packet needs
to have both IPs.  You probably want to use 'or', e.g.,

tcpdump -n -i fxp0 -s 1515 host 64.233.167.147 or 68.142.226.42
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 1515 bytes
06:53:05.552531 IP 192.168.2.5 > 64.233.167.147: icmp 64: echo request seq 0
06:53:05.588292 IP 64.233.167.147 > 192.168.2.5: icmp 64: echo reply seq 0
06:53:18.905750 IP 192.168.2.5 > 68.142.226.42: icmp 64: echo request seq 0
06:53:18.920278 IP 68.142.226.42 > 192.168.2.5: icmp 64: echo reply seq 0

That sees ICMP to Google or Yahoo, not Google and Yahoo.

Sincerely,

Richard
http://www.taosecurity.com




More information about the Snort-users mailing list